Last modified: 10 April 2018
Our procedures covering the storage and disclosure of your information are designed to comply with the Data Protection Act 1998 and the General Data Protection Regulation (GDPR).
MossPAM is committed to safeguarding the privacy of your information. By 'your information' we mean any information about you that you or third parties provide to us.
- We will only collect and use your information where we have lawful grounds and legitimate business reasons to do so
- We will be transparent in our dealings with you and will tell you about how we will collect and use your information
- If we have collected your information for a particular purpose, we will not use it for anything else unless you have been informed and, where relevant, your permission obtained
- We will not ask for more information than we need for the purposes for which we are collecting it
- We will continue to review and assess the quality of our information.
- We will implement and adhere to information retention policies relating to your information, and will ensure that your information is securely disposed of at the end of the appropriate retention period
- We will observe the rights granted to you under applicable privacy and data protection laws, and will ensure that queries relating to privacy issues are promptly and transparently dealt with
- We will train our staff on their privacy obligations.
- We will ensure we have appropriate physical and technological security measures to protect your information regardless of where it's held
- Personal Details
- Performance management details within our Observation and Self-Evaluation modules
- Student assessment details
- We also process sensitive classes of information that may include physical or mental health details; racial or ethnic origin; religious or other beliefs
In order to provide our full range of services, we may collect the following types of information:
PAM processes data provided by school/academy to allow them to:
- Make data about a student available to staff members and their parents/guardians to support the student's education
We will also use anonymised data (containing no user-identifiable information) for:
- Producing statistical analyses to help us improve our service and to support schools and academies
- Producing marketing materials
- MossPAM acts as a Data Processor and the school/academy transferring data to us acts as a Data Controller
- Maintained schools and academies generally have a lawful basis to process data related to students' education and to transfer it to PAM for processing to pursue their legitimate interests, but our customers are responsible for ensuring they have the necessary measures in place before they transfer data to us
We will not share, sell or distribute any of the information you provide to us without your consent, except where disclosure is:
- Necessary to enforce our rights, including under the PAM Terms and Conditions
- Necessary to enforce our rights under any other Terms and Conditions
- Required or permitted by law
- Sub-processors – MossPAM will not sub-contract any processing to third parties without the school/academy's written consent
- Cross-border transfers – MossPAM does not transfer data outside the European Economic Area (EEA) unless the data is being accessed by a PAM user outside the EEA
If a school ends their PAM subscription, data held within the live system will be:
- Removed from a live website within 72 hours
Backups of data containing user-identifiable information will be deleted within 3 months.
The General Data Protection Regulation (GDPR) outlines several rights. More information about these rights, including the conditions under which they apply, can be found here.
You have the right to:
- Ask for access to, or rectification or erasure of your data
- Restrict processing (pending correction or deletion)
- Object to communications or direct marketing
- Lodge a complaint with the Information Commissioner's Office at https://ico.org.uk/concerns/
You should address such requests to your school/academy which acts as the Data Controller.
None of the data within PAM is subject to the right for data portability.
PAM does not carry out any profiling or automated decision making with a "legal or similarly significant effect"